Skip to main content

Account standard

Purpose

This document is to assist University users in establishing and maintaining secure usernames and accounts. It specifies the details as referred to by policies:

  • 8000 Information Technology Resource Use
  • 8020 Server Administration
  • 8030 Desktop, Laptop, and Tablet PC Computing Standards
  • 8130 Remote Access

Scope

These standards apply to all users and devices, physical or virtual, connected to Boise State’s network or managed cloud services through a physical, wireless, or virtual private network.

Standards

Usernames

Unique usernames and passwords are required to access all systems for each session. Active Directory is the source of truth for all username and passwords. If a system is not capable of being linked to the university password and account system an exception should be sought and reviewed.

Usernames should be:

  • Generated by the university identity system of record
  • Composition – Usernames are based on first and last name. Any duplicates will append 3 random numbers.
  • Length – Usernames will be shorter than 20 characters. Long usernames will be truncated to 16 characters and any duplicates will append random numbers.

Users are permitted to request changes to their username. Instructions and limitation can be found on the OIT Accounts webpage.

Email accounts

Electronic mail (email) is a primary means of communication both within the University and externally.

Use of email accounts

1. University Workforce

Email services are intended to allow all University faculty and staff to conduct University business. Personal use of email is not prohibited, provided that personal use (a) does not materially interfere with performance of an employee’s work responsibilities, (b) does not interfere with the performance of the University networks and (c) is otherwise in compliance with this and other University policies. There is no guarantee that information transmitted or stored in the course of personal use of University email services will be confidential or securely preserved. 

High Risk data transmitted by email or other electronic transmission, must be encrypted or otherwise adequately protected. Protection is necessary in order for the University or its affiliates to meet compliance obligations, or the unauthorized disclosure, access, alteration, loss or destruction of those data could have a material impact on the University or its affiliates’ mission, assets, operations, finances, or reputation, or could pose material harm to individuals. 

2. Students

The University currently provides email services to all students. Student use of email is subject to all University policies and student conduct codes.

3. Ownership of Email Data 

The University owns all University email accounts. Subject to underlying copyright and other intellectual property rights under applicable laws and University policies, the University also owns data transmitted or stored using the University email accounts. 

Email forwarding

To strengthen security and maintain trust in email communications, Boise State University has implemented controls that restrict bulk and rule-based automatic email forwarding to non-Boise State accounts for all employees. This change does not affect the ability to manually forward individual messages using the “Forward” button and does not apply to student accounts. It applies only to automatic rules that forward all incoming email to another address.

Once information leaves the Boise State email environment, the university can no longer ensure its protection. This limitation addresses several key risks and requirements:

  • Data Loss Prevention: Bulk forwarding increases the likelihood that sensitive university data may be unintentionally or maliciously shared outside the institution.
  • Phishing and Spoofing Mitigation: Forwarded messages can be altered to appear as though they originate from Boise State, increasing the risk of phishing attacks.
  • Compliance with Security Standards: Supports alignment with industry best practices and federal cybersecurity frameworks.
  • Incident Response Efficiency: Simplifies the process of tracking and containing potential breaches by reducing reliance on external systems.
  • Compliance with FERPA: Federal laws protect student and other confidential information from unauthorized disclosure, including to third-party email service providers.
  • Idaho Public Records Act: University records stored in personal email accounts may subject those accounts to public records requests and legal review.

Common Questions

Can email still be forwarded to colleagues outside the University, or other non boisestate.edu addresses?

Yes, the ability to compose, or forward, an individual message and send it to non-@boisestate.edu addresses will NOT be removed. This restriction will only affect the ability to auto-forward all email to another personal email address.

Does this impact shared accounts?

There is an exclusion process in place to allow auto-forwarding for functional services which may need to send messages to alerting services or third parties.

Is there an exception process?

Legitimate purposes for auto-forwarding email can vary for each department, but often include using a non-person account with a secured system that uses an outside email address to assist with fulfilling a contracted service for the university. Examples may include:

  • Vendor or Partner Integration: When a business-critical process requires forwarding to a trusted external domain.
  • Shared Service Accounts: Accounts used for automated workflows that need forwarding for operational continuity.
  • Regulatory or Legal Requirements: Specific compliance scenarios where forwarding is mandated by law or contractual obligation.

Can emeriti be allowed to automatically forward email to a non-Boise State email address?

Yes; however, the emeritus must still submit an exception request for this to be allowed.

What will happen if I setup auto-email forwarding?

Any email automatically forwarded to an external recipient will result in the sender receiving a  Non-Delivery Report (NDR) error message. Additionally, the delivery of the message to an external recipient will fail.

Multifactor Authentication (MFA) 

Multifactor authentication (MFA), often referred to as two-factor authentication, adds an extra layer of security to the login process. In addition to a password, users must provide a second form of verification, such as additional information or a physical device, to access their accounts. Idaho state law requires MFA for all Boise State accounts and systems.  

Non-compliance and exceptions

A Request for Exception, along with a plan for risk assessment and management, can be submitted at ServiceNow. Non-compliance with these standards may result in revocation of access, notification of supervisors, and reporting to Human Resources and or the Dean of Students.

Updates

Created: November 2021

Last update: April 2026

Next review: February 2027